Attaching SSL certificate to Azure application gateway in Terraform

Question

It's been somewhat long I'm trying to automate the deployment of an application gateway using Terraform but it simply fails with an error message. I have made sure all protocol settings to HTTPS. However, I doubt there is something fishy with the PFX certificate.

Is it that I'm not supplying the authentication certificate due to which it's failing? Tried a lot over the web to get a solution but there are no mentions of this.

Terraform Code:

# Create a resource group
resource "azurerm_resource_group" "rg" {
  name     = "my-rg-application-gateway-12345"
  location = "West US"
}

# Create a application gateway in the web_servers resource group
resource "azurerm_virtual_network" "vnet" {
  name                = "my-vnet-12345"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  address_space       = ["10.254.0.0/16"]
  location            = "${azurerm_resource_group.rg.location}"
}

resource "azurerm_subnet" "sub1" {
  name                 = "my-subnet-1"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "10.254.0.0/24"
}

resource "azurerm_subnet" "sub2" {
  name                 = "my-subnet-2"
  resource_group_name  = "${azurerm_resource_group.rg.name}"
  virtual_network_name = "${azurerm_virtual_network.vnet.name}"
  address_prefix       = "10.254.2.0/24"
}

resource "azurerm_public_ip" "pip" {
  name                         = "my-pip-12345"
  location                     = "${azurerm_resource_group.rg.location}"
  resource_group_name          = "${azurerm_resource_group.rg.name}"
  public_ip_address_allocation = "dynamic"
}

# Create an application gateway
resource "azurerm_application_gateway" "network" {
  name                = "my-application-gateway-12345"
  resource_group_name = "${azurerm_resource_group.rg.name}"
  location            = "West US"

  sku {
    name           = "Standard_Small"
    tier           = "Standard"
    capacity       = 2
  }

  gateway_ip_configuration {
      name         = "my-gateway-ip-configuration"
      subnet_id    = "${azurerm_virtual_network.vnet.id}/subnets/${azurerm_subnet.sub1.name}"
  }

  ssl_certificate {
    name     = "certificate"
    data     = "${base64encode(file("mycert.pfx"))}"
    password = "XXXXXXX"
  }

  frontend_port {
      name         = "${azurerm_virtual_network.vnet.name}-feport"
      port         = 80
  }

  frontend_ip_configuration {
      name         = "${azurerm_virtual_network.vnet.name}-feip"
      public_ip_address_id = "${azurerm_public_ip.pip.id}"
  }

  backend_address_pool {
      name = "${azurerm_virtual_network.vnet.name}-beap"
  }

  backend_http_settings {
      name                  = "${azurerm_virtual_network.vnet.name}-be-htst"
      cookie_based_affinity = "Disabled"
      port                  = 443
      protocol              = "Https"
     request_timeout        = 1
  }

  http_listener {
        name                                  = "${azurerm_virtual_network.vnet.name}-httpslstn"
        frontend_ip_configuration_name        = "${azurerm_virtual_network.vnet.name}-feip"
        frontend_port_name                    = "${azurerm_virtual_network.vnet.name}-feport"
        protocol                              = "https"
  }

  request_routing_rule {
          name                       = "${azurerm_virtual_network.vnet.name}-rqrt"
          rule_type                  = "Basic"
          http_listener_name         = "${azurerm_virtual_network.vnet.name}-httpslstn"
          backend_address_pool_name  = "${azurerm_virtual_network.vnet.name}-beap"
          backend_http_settings_name = "${azurerm_virtual_network.vnet.name}-be-htst"
  }
}

Error:

Error: Error applying plan:

1 error(s) occurred:

* azurerm_application_gateway.network: 1 error(s) occurred:

* azurerm_application_gateway.network: Error Creating/Updating ApplicationGateway "my-application-gateway-12345" (Resource Group "my-rg-application-gateway-12345"): network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="ApplicationGatewayHttpsListenerMustReferenceSslCert" Message="Http Listener /subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/my-rg-application-gateway-12345/providers/Microsoft.Network/applicationGateways/my-application-gateway-12345/httpListeners/my-vnet-12345-httpslstn uses protocol Https. Ssl Certificate must be specified." Details=[]

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Answer 1

As mentioned in the azurerm_application_gateway docs you need to add the ssl_certificate_name to your http_listener block when using https.